Spammers exploit this feature by filling up the space in front of the @ with irrelevant nonsense, in order to confuse their uninformed victims. Just ignore that nonsense, and the remainder will show you what's really going on.
If you are looking to get into a "Members" page with a password dialog box (standard security) you can type your username and password into the url separated by a ":" and leading into it with "@"
[grumpus:firstname.lastname@example.org...] would log me in to the member area here, if there was an area using standard password protected directories. (I don't think that's the case with this site, but you get the idea).
Yes, the part in front of the @ is a username/password. But some companies sell those as -- like Hakre mentioned -- '@-domains', where the @ usually replaces an a. So: email@example.com would actually be a specific user at the sterworld.com domain. Scripts detect the part in front of the @ and redirect appropriately. Clever idea, but it seems to have been more or less of a flop (no wonder, when 99% of internet users think its spelled wrong, or an email address, etc). You also can't search for such domains on Google, apparently.. wonder if they are indexed this way at all.